Managed Luck website by Matthew Leitch (consultant, author, educator, and researcher)
Home / more articles - The author - Contact on your terms - Links - Services

Spiral Graphic


Risk management history and regulations (UK)

by Matthew Leitch, 23 March 2003


The origins of risk management
Risk management and corporate governance
The Sarbanes-Oxley crisis
The management control crisis
Enterprise Risk Management

The origins of risk management

Risk management has emerged more or less independently in a number of areas including: safety, insurance, banking, investment, medicine, artificial intelligence, mathematics, public policy analysis, and internal control. This article is concerned with only the last area, internal control. Although it is the least sophisticated, technically, it has become one of the most important and now affects just about everyone in any kind of organisation.

Risk management and corporate governance

In 1992, following a series of high profile corporate frauds and accounting scandals, the London Stock Exchange introduced new regulations covering various aspects of corporate governance such as who could be a director, what committees the Board of directors should have, and what steps they should take to ensure their company's accounts could be relied on and their assets were safeguarded. These new rules were based on the Cadbury Committee's Code of Best Practice for the financial aspects of corporate governance and applied to companies listed on the London Stock Exchange.

At around the same time a highly influential document was published in the USA, written by accountants Coopers & Lybrand for the Committee of Sponsoring Organisations of the Treadway Commission, and called the "COSO framework". Accountants and auditors had for years been using the term "internal controls" to refer to things people do in organisations to check for, or prevent, errors and fraud, particularly where they affect money and other valuable assets, and accounting.

The COSO framework took the traditional concept of "internal controls" and pointed out that internal controls had to provide protection against risks (i.e. bad things that might happen) and that those risks would change over time, so organisations would have to monitor their risks and change their internal controls to meet their changing risks.

So, one of the things that companies started doing to meet the Stock Exchange's requirements was to get senior executives together in workshops to identify risks and think about what they were doing about them. The results of these workshops were written down and called "risk registers" or "risk maps". Typically, participants in the workshops would call out risks they thought of and the group would then rate the risk for its "likelihood" and "impact" and say what was being done about the risk and what more, if anything, needed to be done.

These workshops came to be called "risk management" and, in theory, complemented more rigorous work on buying insurance for the company and calculating its exposure to financial risks such as currency fluctuations and outstanding debts. Banks have more complicated calculations to perform and need systems to provide daily risk statistics.

Proponents of this kind of process argued that it was good for companies and they should not even need the Stock Exchange's rules as motivation. They argued that the workshops should be carried on down through the levels of management in a company as something sometimes called "enterprise risk management".

Another common response was to introduce a regular procedure where managers throughout the company had to sign documents saying that they thought the internal controls in the part of the business they were responsible for were adequate. This is usually called "control self assessment". Often, the self assessment is done via workshops and internal auditors have usually been given the job of running them.

The original rules have since been revised and the current UK rules are within the Hampel Committee's "Combined Code", with the requirements on internal controls being explained and interpreted in the "Turnbull guidance" issued by the Institute of Chartered Accountants in England and Wales. Now UK listed companies have to evaluate their internal controls covering all types of risk, and not just the risk of incorrect accounts.

The Sarbanes-Oxley crisis

More recently Enron and then Worldcom collapsed, and yet more corporate scandals came to light causing outrage around the world. In the USA the Sarbanes-Oxley Act of 2002 was enacted very quickly to put in place a range of new laws to make such scandals less likely. Included in this Act were two very interesting new requirements concerning internal controls, including the risk management processes that are supposed to keep internal controls up to date. Section 302 effectively forcee SEC registered companies (including UK companies with a listing in the USA) to evaluate the effectiveness of the internal controls over any information they issue to the capital markets and publish the conclusions of their evaluation. Section 404 added a requirement for an annual assessment of the effectiveness of internal controls and procedures specifically for financial reporting, which must be published and attested to by the company's external auditors.

In other words, for the first time, in most cases, the effectiveness of internal controls was to be audited. It may surprise you that this had not been required before. Surely external auditors already did this? Well they didn't. Under the UK's Combined Code companies have to describe the procedures they have followed to evaluate their internal controls and external auditors have to confirm that what they say is true. If a company's procedures sound reasonable when described in very general terms the regulations are satisfied. There is no pressure for the procedures to be effective and no requirement for external auditors to comment on the effectiveness of internal controls. Therefore, the Sarbanes-Oxley Act was a great change for UK companies that also had a listing in the USA.

The requirements of sections 302 and 404 didn't come into force immediately. The Act called on the SEC (the regulator of financial markets in the USA) to introduce rules to enact the requirements of section 302 and 404. Section 302 came into effect almost immediately, but did not require external auditing. The more controversial section 404 requirement for external audit was delayed after lengthy consultation on more than once occasion but now applies to large companies with shares listed in the USA.

The key point is that companies affected, in theory, now need to have an effective method of risk management in place if they are to avoid great embarrassment, and the indications are that many do not have an effective approach because of technical flaws in top-level risk assessment and management.

I say "in theory" because in practice the true effectiveness of risk management workshops, risk registers, and the associated reporting has not been put to a proper test. The auditors who do the evaluations are simply happy to see the methods they believe should be in place, despite their obvious flaws.

But, this could change at any time. All it would take is one influential scandal or a growing trend for critically reviewing risk registers and the game would be up.

The management control crisis

At the same time, the global economy slowed and many companies that thought they were heading towards huge profits now found themselves in trouble. The worst affected companies included those linked to the internet (such as computer, software, and telecom companies) and companies linked to air travel.

Companies in difficulty are less able to absorb unexpected problems and desperately need to grab every good opportunity to improve their situation. Unfortunately, the style of management control that has become almost ubiquitous in developed countries since the mid 20th century does not perform well. Budgets and scorecards are supposed to provide management with a control mechanism that works like a thermostat, or collection of thermostats. Management set targets and the control system measures actual results and feeds back the difference between actuals and targets as a spur to action to reduce the differences.

This simply does not work well in practice for a number of fundamental reasons. Most importantly, problems have to affect a company's results before action is taken, which is too late, while opportunities are often ignored altogether because they do not give rise to variances.

Risk management involves looking ahead for things that might happen and taking action in advance. In principle this is clearly an important part of a better approach but so far what most companies have been doing is not frequent or effective enough to work properly.

Enterprise Risk Management

The buzz phrase "Enterprise Risk Management" refers to the idea of boosting the risk management workshops and registers, while integrating or coordinating specialist risk functions (like treasury, internal audit, insurance, safety) into one concerted effort. The idea is to "embed" risk management so that it is part of normal operations and not an additional bureaucratic chore.



Words © 2003 Matthew Leitch

Home / more articles - The author - Contact on your terms - Links - Services


If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues and friends, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is an independent consultant, researcher, and author specialising in internal control and risk management. He is the author of www.workinginuncertainty.co.uk and www.internalcontrolsdesign.co.uk and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it. more

Please share:            Share on Tumblr